# Fix: Web Bot Auth signature directory present (informational)

> Web-audit fix skill for the `web-bot-auth` check (Bot & crawl policy, MAY).

## Goal

Publish an HTTP Message Signatures directory if your site sends signed bot traffic.

## Fix

Informational only. If your site sends authenticated bot traffic, publish an HTTP Message
Signatures JWKS directory at `/.well-known/http-message-signatures-directory` so recipients can
verify your bot's signatures. Skip it if you do not send signed bot requests.

## Resources

- [Web Bot Auth draft](https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Publish an HTTP Message Signatures directory if your site sends signed bot traffic
Issue: <the audit's finding for this check>
Fix: Informational only. If your site sends authenticated bot traffic, publish an HTTP Message Signatures JWKS directory at `/.well-known/http-message-signatures-directory` so recipients can verify your bot's signatures. Skip it if you do not send signed bot requests.
Skill: https://anc.dev/web-audit/skill/web-bot-auth
Docs: https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `web-bot-auth` check should report `pass`.
